Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The 19 August 1994 New York Times carries a long article about hundreds of IRS (Internal Revenue Service, the American tax collection people) employees being disciplined for peeking at tax returns that they shouldn't have been. The IRS's investigations concluded that the employees' suspicious behavior ranged from out-and-out fraud to simple curiosity. The discovered the need for guidelines about which degrees of wrongdoing merited which punishments. The full reference is: Robert D. Hershey, Jr., IRS staff is cited in snoopings, New York Times, 19 July 1994, pages C1, C12. It's one of those stories that can be invoked as evidence for either of two contradictory positions: that employees' illicit use of personal files is a serious problem, or that it's not a real problem since the wrongdoers are getting caught. It's clear that private businesses have the same problems with illicit peeking at personal information. We might ask whether public or private organizations have a greater incentive to prevent this kind of thing. Since information can be copied readily, it's not like pilfering in a warehouse, where the organization loses capital in a straightforward sense and thus has a straightforward interest in preventing it. An exception would be information that is leaked to customers who would otherwise purchase the information from the organization, as opposed to being leaked to people whose status or purposes would not otherwise permit them to buy the information through the front door. Instead, the organization's interest is generally more indirect, having primarily to do with its reputation and the reputations of its leaders. In a society without privacy activists or a free press serving a public that is aware that its privacy is threatened, I think organizations would have little incentive to do anything about leaks of personal information. In the society we have right now, I would suggest that the IRS has a greater incentive to prevent leaks of personal information than does a credit bureau or other private information holder, since it is politically much more practical for the legislature to make the IRS bureaucrats miserable than to make the officers of private firms miserable. Others may disagree, but the important thing is to understand the mechanisms which create, or *could* create, organizational interests in genuinely protecting private information. Fear of legislation is a good one, but others exist as well. Phil Agre, UCSD
[I presume you call a cash till that does not give cash a TELLER? KGG]
[Well, we might as well for the purposes of this message.
It is certainly not an ASKER! PGN]
Today, in my local branch of Banca di Roma, in central Rome, Italy I
encountered a bank teller which had crashed. These machines allow you to
obtain bank statements but do not dispense cash. The display I encountered
contained a number of error messages (file not found, could not create file,
etc) followed by the prompt (A>). Feeling somewhat guilty, I typed DIR, which
worked and listed a number of executables and some documents. I looked at one
called "fine", meaning "end" in Italian, which contained instructions for the
shutdown of the system. At this point I alerted the lady at the counter: "Are
you aware that your system has crashed and that I can modify whatever I want
in the system?". The latter to emphasise the gravity of the situation; I'm
not sure how much I could have done in practice. This did indeed produce some
alarm, and I was told that there was a systems person who'd take of the
situation. I did not see this person arrive during my subsequent wait in the
queue (which this teller is supposed to diminish btw). As for the cause of
the crash, the computer terminals at the counters were dead at roughly the
same time, perhaps due to a common cause.
Kees Goossens <kgg@dsi.uniroma1.it> http://www.dcs.ed.ac.uk/staff/kgg
Dip. di Scienze dell'Informazione, Universita di Roma "La Sapienza", Italy
[A considerable risks would exist if there is a way to crash the
system intentionally in order to reach that prompt... Knowing what
we know about risks, we might suspect that to be the case. PGN]
As RISKS readers know, I have ruffled more than a few feathers here in the US and with foreign governments over the issue of HERF (High Energy Radio Frequency) interference as a potential weapon system. Recently, RISKS readers have seen mounting evidenced of anomalous electrical interference behavior at 37,000 feet. Boeing and Apple and others companies have tried to quantify the phenomenon but EMI and RFI interference is highly elusive. Maybe the July 18, 1994 issue of the New York Times will shed additional light. The FBI mounted a whistle blower sting operation against General Electric with the assistance of one of their engineers who alleged that the company was improperly grounding its jet engines to the detriment of safety to both commercial and military aircraft. So alarmed was the Air Force One pilot that he refused to take off from Rome's airport with President Clinton until he was assured it was safe to do so. The GE engineer and whistle blower Ian Johnson, said he discovered the problems with improper engine grounding in 1989 but was subsequently brushed aside by his concerns. Engine grounding is critical to proper electrical performance in the air, and the technique GE uses to insure a quality connection is called electrical bonding. Is it any coincidence that laptop EMI stories began about a year later when protable digital electronics became popular? As any electrical engineer knows, any connection will introduce a given amount of electrical resistance (measured in ohms . . . Ohm's law, remember?) into a circuit. The goal is to approach zero resistance in any connection. Period. Poor connections not only change the values in the circuit thus changing the circuit performance, but can also become diode-like and act like unpredictable rectifiers. Not good. According to the article, GE engine's electrical bonding should result in an added impedance (resistance) of 2.5 milliohms (.0025 ohms) but were found to in some cases exceed 60,000 milliohms (60 ohms) and that is a lot: off by a factor of 24,000! In my former life as a circuit/systems designer, such an intolerable error would GUARANTEE a failure. The need for adequate bonding is clear: make sure that stray electrical signals such as from lightening bolts or from laptop computers or other consumer electronic devices do not interfere with the safe and reliable operation of a 100 tons of metal hurtling through the atmosphere. GE denies it (what else is new!) and there is bound to be a debate as to whether there really was an intentional cover-up as stated by Mr. Johnson. In an interesting side note, the FBI had Mr. Johnson wear a wire (a tap recorder on his person) over a period of 6 months to get the goods on GE. I guess this case will take over our minds and souls soon enough, on the "All O.J. Network."
An academic journal called _The Information Society_ has just published a
special issue (volume 10, number 2, April-June 1994) entitled "The Digital
Individual". (I'm the issue's guest editor.) It includes five articles whose
general theme is that people's activities increasingly cast "shadows" onto
the insides of computers. As a result, the whole notion of a human individual
is beginning to change. Everyone has their physical self and surroundings and
possessions, but they also have an elaborate digital aspect to their selves
which follows them around through life. People use their digital shadows in
a variety of beneficial ways, for example in sending messages to mailing lists
like Risks, but they are often managed and controlled through their digital
shadows as well. Since the outcome of this ambivalent situation is neither
all-good or all-bad, it helps to make distinctions and put things in contexts,
and that's what the articles in this special issue try to do. If you would
like to see the full contents and abstracts for the special issue, send a
message that looks like this:
To: rre-request@weber.ucsd.edu
Subject: archive send tis-digital
Phil Agre, UCSD
[Remember to sniff it out. The shadow nose! PGN]
I learned the other day that I am a victim on the information
superhighway. It's a long story; I'll relate it in hopes that there are folks
out there who have had similar experiences and can tell me about them.
My wife and I had been getting about 15 anonymous calls a day for the
past three weeks. The caller would contact us at all hours, and would never
say anything at all. We were quite rattled because, as it happened, the calls
began coming just as I, a freelance journalist, began work on a murder story
and just as we prepared for the birth of our first child. The unknown man on
the other end of the line was, in our haunted imagination, a crazed murderer
after our new child.
We tried to invoke "Caller ID" to catch our harasser, but this did not
work. Next, we called our phone carrier, US West, and our local sheriff to get
them to look into the matter. We kept a log of all the "harassing" calls, and
asked ourselves who so hated us that they would spend the money to call us via
long distance 15 times a day and hang up each time.
Finally, the other day we got an answer: A computer software firm had
inadvertently entered our number into a database and prompted one of its
modems to keep trying our number, over and over. The lawyer for the company
called me today to apologize for the disturbance his firm had caused us. He
said, "I guess you were just a victim on the information highway. I'm sorry,"
but I was quite struck how minimal this whole thing was on his end (a few
misstrokes on the keyboard) and how massive the disturbance was on our
end--getting woken in the middle of the night, etc.
I'm thinking now of writing a magazine article on our experience, and
am posting for two reasons. First, I'd like to hear from people who, like me,
have become "victims on the infobahn," and second, I'd like to get some
broader perspective. Do people know of any groups which monitor modem-caused
problems? Are you aware of any laws covering such matters, and do you know
how frequently mishaps like mine occur?
Any imput would be greatly appreciated. Thank you,
Bill Donahue 74562,3064@CompuServe.com
The Benefits Agency (the 65,000 strong government agency responsible for the administration and payment of welfare benefits in the UK) has announced a new method of payment system, to be introduced over the next three years throughout the UK. Customers will present their personalised smart card to the Post Office, who will swipe it, do an (as yet unspecified) id check from info held electronically on the card, and check on-line to the BA office to find out how much money the person is due. This will replace Girocheques and order books; a system of 'valuable paper' which has been essentially unchanged since 1948. The prototype uses a digitised photo and pressure-pad signature. As the cards will have no inherent value, rough estimates are that payment- related benefit fraud will be reduced by approximately 90%. The BA has some 23,000,000 customers at any given time; approximately half the adult population of the UK. Customers will have an alternative to the smart card, in the form of ACT payments to their bank. Shaggy
One of the several RISKS of using computers is that ordinary people (i.e., NOT computer gurus) may tend to listen TOO much to computer gurus. Why? Probably for reasons akin to why we listen to our doctors or our auto mechanics: if they are good they know more than we do about something that is important to us. OK so far. But we (too many of us) are spoiled to getting news in "sound bytes" (or their e-mail or paper memo or slide presentation equivalents). Too many of us do not appreciate the difference between CNN's Headline News and PBS's McNeil-Lehrer Report; or their computing equivalents, for example INFORMATIONWEEK and IEEE COMPUTER. Both valuable, but very different. So we hear one week that ISDN (or some other recent technology) has been revised and is now thriving; and within a month we hear from some other guru that the same technology has not lived up to its promise. Promise? or just hype? not only that, but hype by those same gurus, perhaps a bit too eager for more clients? or just not reading each other's stuff? OK, gurus have only 24 hours a day, and can't keep up either. In early Aug 94, I retire from 34 years of federal service; and will thus for a while at least be off the InterNet. I'll especially miss RISKS because it is one of the very few forums that is both current and thorough which is a tribute to its clients and especially its Moderator. According to some of these same gurus I am an old dog not able to learn new tricks; but others say that people like me are a valuable resource. I believe the latter opinion, not only because it is flattering, but also because the former may misunderstand the difference between 30 years experience and 3 years repeated 10 times. Bob Estell (542 Mary Ann Ave., Ridgecrest, CA 93555)
I have been wearing hearing aids for over twenty years and on numerous
occasions have allowed me to listen to things most people are "deaf" to.
This is made possible by the inductive pickups in my hearing aids, throwing a
switch turns off the microphone and on the inductive pickup & a whole new
world appears.
Just as an example, once upon a time, many people in a particular section of
the building I worked in began complaining of headaches though no reason could
be found. I happened to walk through the area in inductive mode & began to
hear a beeping. Turned out that a RADAR unit at the nearby airbase had become
misaligned and was sweeping the corner of the building. Realignment cured the
headaches.
Through the years I have had many such incidents of being able to identify
electrical problems this way by characteristic "sounds". The point is that the
interior of a commercial aircraft is one of the "noisiest" environments I have
ever encountered with the 400 hz being almost "deafening" and a myriad of
other jingles, jangles, and hums also apparent.
One cannot but think that there must be almost no shielding of any signals in
a modern aircraft and to me the amazing part is not that instruments are
affected by laptops (low amplitude but I can "hear" them) but that they manage
to operate at all in such an electronic bedlam.
Padgett
ps I have no idea what the spectrum of my hearing aids is, just that they
have enabled the detection of too many diverse things to be very limited.
Once they determined that a "haunted" corner in a house was nothing more
than a power box on the other side of the wall.
[Ah, Padgett is an auditory canary, similar to the canary the miners
used to take down with them to provide an early warning on toxic gases!
Think of it as a *gift*. PGN]
Peter Ilieve <peter@memex.co.uk> writes: >`The sophisticated computerised security system was designed to end slopping >out by allowing one prisoner at a time from each landing to go to the toilet >during the night. [Sanitation is not the UK prison system's strong point, >prisoners usually have to make do with a bucket in the corner of the >cell (...) This incident demonstrates a far more important RISK than just subverting the computerized system; the real RISK is that such a system was installed to solve a problem which should have been solved by a better sewage system! Amos Shapir, The Hebrew Univ. of Jerusalem, Dept. of Comp. Science. Givat-Ram, Jerusalem 91904, Israel +972 2 585706,586950 amos@cs.huji.ac.il
Subject: "Firewalls and Internet Security" by Cheswick/Bellovin BKFRINSC.RVW 940502 Addison-Wesley Publishing Company P.O. Box 520 26 Prince Andrew Place Don Mills, Ontario M3C 2T8 416-447-5101 fax: 416-443-0948 Heather Rignanesi, Marketing, x340, 73171.657@Compuserve.com or Tiffany Moore, Publicity tiffanym@aw.com Bob Donegon bobd@aw.com John Wait, Editor, Corporate and Professional Publishing johnw@aw.com Tom Stone, Editor, Higher Education Division tomsto@aw.com Philip Sutherland, Schulman Series 74640.2405@compuserve.com Keith Wollman, Trade Computer Group keithw@aw.com Lisa Roth Blackman, Trade Computer Group lisaro@aw.com 1 Jacob Way Reading, MA 01867-9984 800-822-6339 617-944-3700 Fax: (617) 944-7273 5851 Guion Road Indianapolis, IN 46254 800-447-2226 "Firewalls and Internet Security", Cheswick/Bellovin, 1994, 0-201-63357-4, U$26.95. firewall-book@research.att.com ches@research.att.com smb@research.att.com The Internet has a reputation for a lack of security. Those books which mention security on the Internet generally suggest setting up a firewall machine in order to protect yourself, but stop short of giving anything resembling details of how to do such a thing. Cheswick and Bellovin not only give practical suggestions for firewall construction, they also address other aspects of Internet security, as well. Part one gives a basic background, both of security, and of TCP/IP. If you didn't think you needed security before, you will after reading chapter two. Part two details the construction of firewall gateways, as well as authentication, tools, traps, and cracking tools for use in testing the integrity of your system. Part three discusses attacks, and the logging and analysis, thereof. The book also looks at legal aspects, secure communication over insecure links, resources and various helpful information. Although the book deals specifically with TCP/IP, the concepts, which are the parts stressed, are applicable to any network-connected systems. This is probably destined to become one of the security classics within its specialized field. copyright Robert M. Slade, 1994 BKFRINSC.RVW 940502 ============== Vancouver Institute for Research into User Security Canada V7K 2G6 ROBERTS@decus.ca Robert_Slade@sfu.ca rslade@cue.bc.ca p1@CyberStore.ca
Subject: "The Fool's Run" by Camp BKFLSRUN.RVW 940428 %A Camp, John %C 2801 John Street, Markham, Ontario, Canada L3R 1B4 %D 1989 %G 0-451-16712-0 %I Penguin/Signet %O U$4.95/C$5.95 %T "The Fool's Run" I very strongly suspect that whoever wrote the screenplay for "Sneakers" read this first. There is a mob connected corporation. They wish to do some espionage. They hire a tiger team to do it for them. They try to betray, and possibly destroy, the tiger team. The team is then forced to "crack" their former client. There is the same paranoia about the National Security Agency. I don't know who the technical consultant was for this book, but he, she or it did an even better job here than Captain Crunch did for the movie. We have insider information, phone phreaking, database surfing, social engineering and overconfident systems managers. Chapter thirteen introduces computer viral programs, and I had to go back and check the copyright date. At a time when the supposedly technical books were printing absolute garbage, this novel had the concepts down pat (although slightly shaky on the details). Probably it won't become a classic in either literature or data security, but a reasonably fun read, and refreshingly accurate technical details. copyright Robert M. Slade, 1994 BKFLSRUN.RVW 940428 ============== Vancouver Institute for Research into User Security Canada V7K 2G6 ROBERTS@decus.ca Robert_Slade@sfu.ca rslade@cue.bc.ca p1@CyberStore.ca
[For further information, contact Mich at 75300.3232@compuserve.com. PGN]
FIRST CALL FOR PARTICIPATION
Second International Conference on Information Warfare:
"Chaos on the Electronic Superhighway"
Conference Date: Wed 18 January 1995
Conference Locale: Dorval Airport Hilton Hotel
Montreal, Canada
1. INTRODUCTION
Cultures that depend on information systems are vulnerable to Information
Warfare. Attacks on data confidentiality, data integrity and data
availability will damage individuals, corporations and other private
organizations, government departments and agencies, nation-states and
supranational bodies.
It is essential to erect legal, organizational, and cultural defences
against information warfare.
The Second International Conference on Information Warfare will focus on panel
discussions of Winn Schwartau's new book, _Information Warfare: Chaos on the
Electronic Superhighway_, published in 1994 by Thunder's Mouth Press (ISBN
1-56025-080-1).
This announcement serves as a request for participation by those wishing to
appear on panels, those wishing to suggest speakers, and others wishing to be
added to a mailing list (electronic and snailmail) for further details as they
develop.
Panelists will be asked to analyze selected portions of _Information Warfare_
and to present refutations or support for the author's statements, assertions,
predictions, warnings and recommendations.
The Conference will serve the interests of information security
specialists and strategic planners from the corporate world, military
and government circles, and academia. The Press will be permitted
to cover the event, providing opportunities for increased public
awareness of vulnerabilities of the information infrastructure.
The Conference Proceedings will contribute to the national and
international debates about information warfare and the need for
careful planning to avoid disruption by hostile forces as national
and international information highways develop worldwide.
Following recommendations from last year's participants in the First
International Conference on Information Warfare, we have scheduled more free
time for the animated discussion among participants.
Informal discussions will be aided by Special Interest Group signs allowing
people with specific interests to congregate.
The organizers are making a special effort to reach members of the defence
establishments of Canada and the United States. In order to foster the
greatest degree of serious and productive discussion, room has been reserved
for no more than 100 participants.
2. PROGRAM:
07:30-08:30 Registration and Continental Breakfast
08:30-09:00 Keynote Address:Warfare and InfoSec
09:00-10:15 Class I InfoWar: Attacks on Personal Information
10:15-10:45 Break for informal discussions by topic:
Privacy, Cryptography, Laws, Law Enforcement
10:45-12:00 Class II InfoWar: Corporate InfoSec
12:00-13:30 Buffet lunch and informal discussions by sector:
Corporate, Government, Military, Academic
13:30-14:45 Class III InfoWar: Global InfoSec
14:45-15:30 Informal discussions by network technology:
PCs, LANs, WANs, Internet
15:30-16:15 General discussions among panelists and other
participants
16:15-16:30 Closing comments
The official language of the Conference is English.
3. SUBMISSIONS
The Program Committee will select a suitable number of
participants for the panel discussions. Selection will be based on
subjective judgements of who is likely to offer the most thoughtful
and stimulating expositions and analyses of the topics.
Once panelists have been selected, the Program Committee requests
that they submit a brief written analysis of the topic they agreed to
speak on. This one- to ten-page document will be published in the
Conference Handbook and will then appear in the Conference
Proceedings along with additional materials added during the
Conference.
Deadline for consideration as a panelist: 30 Sep 1994.
Confirmation of panel participation: 15 Oct 1994.
Deadline for submissions for inclusion in Conference Handbook:
15 Nov 94.
[Rest deleted. Write Mich for full text. PGN]
Please report problems with the web pages to the maintainer